CVE-2025-47950 — Allocation of Resources Without Limits or Throttling in Coredns
Severity
7.5HIGHNVD
NVD6.6
EPSS
0.2%
top 64.24%
CISA KEV
Not in KEV
Exploit
No known exploits
Affected products
Timeline
PublishedJun 6
Latest updateJan 8
Description
CoreDNS is a DNS server that chains plugins. In versions prior to 1.12.2, a Denial of Service (DoS) vulnerability exists in the CoreDNS DNS-over-QUIC (DoQ) server implementation. The server previously created a new goroutine for every incoming QUIC stream without imposing any limits on the number of concurrent streams or goroutines. A remote, unauthenticated attacker could open a large number of streams, leading to uncontrolled memory consumption and eventually causing an Out Of Memory (OOM) cra…
CVSS vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:HExploitability: 3.9 | Impact: 3.6
Affected Packages6 packages
Patches
🔴Vulnerability Details
5OSV▶
CoreDNS gRPC/HTTPS/HTTP3 servers lack resource limits, enabling DoS via unbounded connections and oversized messages↗2026-01-08
GHSA▶
CoreDNS gRPC/HTTPS/HTTP3 servers lack resource limits, enabling DoS via unbounded connections and oversized messages↗2026-01-08
OSV▶
CoreDNS Vulnerable to DoQ Memory Exhaustion via Stream Amplification in github.com/coredns/coredns↗2025-06-10
📋Vendor Advisories
3Red Hat▶
github.com/coredns/coredns/core/dnsserver: CoreDNS DoS via unbounded connections and oversized messages↗2026-01-08